Effective date: December 20th, 2025
Step2Flow (“Step2Flow”, “we”, “us”, or “our”) operates the Step2Flow work management platform, including the web application and mobile applications for Android and iOS (collectively, the “Service”).
This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data. We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. Unless otherwise defined, capitalized terms used in this Privacy Policy have the same meanings as in our Terms of Service.
Definitions
Service
Service means the Step2Flow work management platform, including the web app available at https://step2flow.com and the Step2Flow mobile applications for Android and iOS.
Personal Data
Personal Data means any information relating to an identified or identifiable natural person, such as name, email address, phone number, or other information that can be linked to an individual.
Usage Data
Usage Data is data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, device identifiers, log data, and interaction with features of the platform).
Cookies
Cookies are small text files stored on your device (computer or mobile device) that help us recognize your browser and remember certain information.
Data Controller
Data Controller means the natural or legal person who determines the purposes and means of the processing of Personal Data. For the purpose of this Privacy Policy, Step2Flow is the Data Controller of Personal Data processed about visitors to our websites and administrators of customer accounts.
Data Processor
Data Processor means any natural or legal person who processes Personal Data on behalf of the Data Controller. For customer organizations using Step2Flow with their own employees, Step2Flow typically acts as a Data Processor of their employees’ data, while the customer organization is the Data Controller.
Data Subject
Data Subject is any living individual who is the subject of Personal Data that we process.
User
User means any individual who is authorized by a customer organization to use the Service (for example, employee, contractor, or collaborator) and who has access to Step2Flow via web or mobile applications.
Information Collection and Use
We collect several different types of information for various purposes to provide and improve our Service, including enabling task management, internal calendar scheduling, team coordination, and analytics for business customers.
Types of Data Collected
Personal Data
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:
- Email address
- First name and last name
- Job title and team/department information
- Company name and billing details (for account admins)
- Phone number (optional, if provided)
- Profile photo or avatar (optional)
- Location data when enabled (e.g., for task geolocation and check‑in features)
We may use your Personal Data to contact you with service‑related notifications, onboarding information, billing and administrative messages, or marketing communications that may be relevant to your organization. You can opt out of marketing emails at any time using the unsubscribe link in our emails.
Usage Data
We may also collect information on how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as:
- Device type and operating system (web, Android, iOS)
- Internet Protocol (IP) address
- Browser type and version (for web access)
- Pages/screens of our Service that you visit
- Time and date of your visit and time spent on pages
- App events such as task created/updated/completed, project opened, file uploaded
- Approximate location (when location permissions are enabled by the user or the organization)
- Other diagnostic data used to maintain and improve the Service
Tracking & Cookies Data
We use cookies and similar tracking technologies to track the activity on our web application and hold certain information. Cookies may be used for authentication, security, preferences, and analytics.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our web Service.
Examples of cookies we use:
- Session Cookies. We use Session Cookies to operate our Service.
- Preference Cookies. We use Preference Cookies to remember your settings.
- Security Cookies. We use Security Cookies for security purposes.
- Analytics Cookies. We use Analytics Cookies to understand how the Service is used.
Use of Data
Step2Flow uses collected data for various purposes, including to:
- Provide, operate, and maintain our web and mobile Service
- Create and manage user accounts and team workspaces
- Assign and track tasks, projects, and schedules within your organization
- Display internal calendars, workload, and team availability
- Send notifications to users’ devices (web, Android, iOS) about tasks, reminders, and changes
- Provide customer support and respond to inquiries
- Monitor and analyze usage to improve the Service and user experience
- Detect, prevent, and address technical issues, abuse, or security incidents
- Manage billing, subscriptions, and payments for the Service
- Comply with legal obligations and enforce our Terms of Service
Legal Basis for Processing Personal Data (GDPR)
If you are located in the European Economic Area (EEA), Step2Flow’s legal basis for collecting and using Personal Data described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it.
We may process your Personal Data because:
- We need to perform a contract with you or your employer (Art. 6(1)(b) GDPR)
- You have given us consent to do so (Art. 6(1)(a) GDPR)
- The processing is in our legitimate interests and is not overridden by your rights (Art. 6(1)(f) GDPR)
- We need to comply with a legal obligation (Art. 6(1)(c) GDPR)
Retention of Data
Step2Flow will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy or as required by applicable law.
We retain account and profile information for the duration of the customer contract and for a reasonable period thereafter for backup, archiving, dispute resolution, and legal compliance.
Usage Data is generally retained for a shorter period, except when it is used to improve security, troubleshoot issues, or we are legally required to retain it for longer time periods.
Transfer of Data
Your information, including Personal Data, may be transferred to and maintained on servers located outside of your country, where data protection laws may differ from those in your jurisdiction.
Where we transfer Personal Data outside the EEA/UK, we use appropriate safeguards such as Standard Contractual Clauses or other legally recognized mechanisms to ensure an adequate level of protection.
Disclosure of Data
Business Transfers
If Step2Flow is involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.
Disclosure for Law Enforcement
Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Legal Requirements
Step2Flow may disclose your Personal Data in good faith where such action is necessary to:
- Comply with a legal obligation
- Protect and defend the rights or property of Step2Flow
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of users of the Service or the public
- Protect against legal liability
Security of Data
The security of your data is important to us. We implement appropriate technical and organizational measures to protect Personal Data, including access controls, encryption in transit where appropriate, role‑based permissions, and logging.
However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
Your Data Protection Rights Under GDPR
If you are a resident of the EEA or UK, you have certain data protection rights. Step2Flow aims to take reasonable steps to allow you to exercise these rights via your account settings or by contacting us.
Subject to conditions and applicable law, you may have the right to:
- Access, update, or delete the Personal Data we hold about you
- Rectify inaccurate or incomplete data
- Object to the processing of your Personal Data
- Request restriction of processing of your Personal Data
- Request data portability of your Personal Data
- Withdraw consent where processing is based on consent
You also have the right to lodge a complaint with your local data protection authority if you believe that our processing of your Personal Data violates applicable data protection law.
Service Providers
We may employ third‑party companies and individuals (“Service Providers”) to facilitate our Service, provide the Service on our behalf, perform Service‑related services, or assist us in analyzing how our Service is used.
These Service Providers have access to Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose than providing services to Step2Flow.
Analytics
We may use third‑party analytics tools (such as privacy‑conscious analytics providers or self‑hosted solutions) to monitor and analyze the usage of our Service and help us improve its performance and usability.
Payments
We may provide paid subscriptions for the Service. In that case, we use third‑party payment processors to handle payment transactions.
We do not store or collect your full payment card details. That information is provided directly to our payment processors whose use of your Personal Data is governed by their respective privacy policies and PCI‑DSS standards.
Mobile Applications and Location Data
Our Android and iOS mobile applications allow users to receive tasks, notifications, and updates on their mobile devices and, optionally, to share location data linked to specific tasks or check‑ins.
Location data processing is controlled by your device settings and organizational configuration. You can disable location permissions in your device settings at any time. If you do so, some location‑based features (such as task geolocation, on‑site check‑ins, or route optimization) may not function.
Links to Other Sites
Our Service may contain links to other sites that are not operated by us. If you click a third‑party link, you will be directed to that site. We strongly advise you to review the privacy policy of every site you visit.
We have no control over and assume no responsibility for the content, privacy policies, or practices of any third‑party sites or services.
Children’s Privacy
Our Service is intended for use by businesses and organizations and is not directed to individuals under the age of 16. We do not knowingly collect Personal Data from children under 16.
If you are a parent or guardian and become aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from a child without verifiable parental consent, we will take steps to remove that information from our systems.
Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Effective date” at the top.
Where required by law, we will also notify you via email and/or an in‑app notice prior to the changes becoming effective. You are advised to review this Privacy Policy periodically for any changes.
Contact Us
If you have any questions about this Privacy Policy or our data practices, you can contact us:
- By email: info@step2flow.com
- By post: 1309 Coffeen Ave Ste 1200, Sheridan, WY, 82801
- Via our contact form: https://step2flow.com/kontakt/